Stripe Capture The Flag
I just finished the security vulnerability contest Stripe CTF. Now this was a really fun exercise. (Note: if its before Wednesday, Aug 26 2012, you still have time to do the Stripe CTF.)
Basically, Stripe set up 9 levels, each is a standalone web server. Each level tested your ability to exploit a security vulnerability in the webserver. It started out easy, with solutions taking a small amount of effort, but by level 5 and 6, the time per solution had raised significantly. Eventually, it came down to a complicated multi-step strategy in level 8 (level numbers were 0-based, naturally). You can read more about it in their blog post.
I’m a learning-by-doing sort-of person. I’ve heard of cross site request forgeries and cross-site scripting before. I’ve known what SQL injection is. But getting hands-on experience at trying to identify vulnerabilities in source code and figuring out how you (the attacker) actually executes the attack, in addition to all the nuances associated, teach me a lot more about those vulnerabilities than anything else.
The vulnerabilities that I exploited during the competition were:
- SQL regex globbing
- Parameter expansion,
- SQL injection with UNION
- CSRF (cross-site request forgeries) with javascript injection
- Arbitrary code uploads using a picture uploader
- Acquiring ssh access to a webserver
- Performing an extension length attack
- Doing a brute-force (or as a former coworker called it, brutal force) attack on a flawed password-storage architecture.
I’m now a much more security-aware coder, and I’ll develop more secure web code in the future. Thank you Stripe! And, I get a T-shirt! :D.
I’ll write up my solutions after next Wednesday, when the competition ends.